NP-completeness of Certain Sub-classes 
of the Syndrome Decoding Problem 
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Abstract — The problem of Syndrome Decoding was proven to 
be NP-complete in 1978 and, since then, quite a few cryptographic 
applications have had their security rely on the (provable) 
difficulty of solving some instances of it. However, in most cases, 
the instances to be solved follow some specific constraint: the 
target weight is a function of the dimension and length of the 
code. In these cases, is the Syndrome Decoding problem still NP- 
complete? This is the question that this article intends to answer. 
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I. Introduction 

BACK in 1978, Berlekamp, McEliece and van Tilborg [1] 
have proven that the coding theory problems of COSET 
Weights and Subspace Weights are NP-complete. These 
problems, usually known by the name of SYNDROME DECOD- 
ING problem (SD), are central in code-based cryptography. 
For instance, the security of the public key cryptosystems 
of McEliece or Niederreiter directly relies on the difficulty 
of solving an instance of SD. However, these instances are 
not generic instances: the need for a trap (the secret key), 
allowing to decrypt, adds some constraints on the instances to 
solve. This allows to define a sub-class of the SD problem. In 
this article, I prove that this sub-class is also an NP-complete 
problem and propose to generalize this result to some other 
sub-classes of the SD problem. 

A. General Context 

Let C be a [rt, fc] binary linear code defined by its parity 
check matrix TL of size nxr where r = n—k. The syndrome of 
a word y is S = yH. An element of C is called a codeword, 
and is a word of null syndrome. The weight of a word y 
denotes the Hamming weight of the word, that is, the number 
of non-zero bits in y. Knowing this, we can state the two 
NP-complete problems of [1]. 

CosET Weight: 

Input: a binary matrix H, a syndrome S and a non negative 
integer w. 

Property: there exists a word y of weight < w such that 
yH = S. 

Subspace Weight: 
Input: a binary matrix H and a non negative integer w. 
Property: there exists a codeword x of weight w such that 
xH = 0. 

The first of these two problems corresponds exactly to the 
problem of decoding up to a given distance: if one can solve 



this problem, he can decode up to w errors in the code C 
defined by the parity check matrix H. 

The second one is nearly a sub-class of the first problem, 
but not exactly: the syndrome is set to 0, but the weight must 
also be exactly equal to w, so as to avoid having the null word 
as a trivial solution. 

B. The Original NP-completeness Proof 

To prove that the two previous problems are NP-complete, 
Berlekamp, McEliece and van Tilborg build reductions from 
the problem of Three Dimensional Matching. 

Three Dimensional Matching: 

Input: a subset U C T x T x T, where T is a finite set. 
Property: there exists a set W C U such that \W\ = |T|, 
and no two elements of W agree in any of there 
three coordinates. 
This new problem might not seem closely related to the 
previous decoding problems, but a short example makes the 
relation obvious. Let T = {1. 2, 3} and \U\ = 5 with: 



Ui 
Us 
U5 



(1,2,2) 
(2,2,3) 
(1,3,2) 
(2,1,3) 
(3,3,1) 



One can see that Ui, U^, and U5 verify the property. However, 
as soon as we remove Ui from U, no solution exists. To 
relate this problem to SD, we introduce the incidence matrix 
A defined as follows: 
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This binary matrix A of size \U\ x 3|T| contains three 1 per 
line, one for each coordinate, in the column corresponding to 
the correct element of T. With this new representation of the 
set U, finding a valid solution to the Three Dimensional 
Matching problem corresponds to finding a set of |r| rows 
of A summing to the all 1 vector 

If an algorithm is able to solve any instance of the CoSET 
Weight problem, it is enough to feed it with the parameters 
Ti. = A, S = {1, . . . ,1) w = |r| to solve any given 
instance of Three Dimensional Matching. This proves 
that CosET Weight is NP-complete. 
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Fig. 1. Matrix used to reduce THREE DIMENSIONAL MATCHING to 
SuBSPACE Weight. 

For the second reduction, Berlekamp, McEliece, and van 
Tilborg propose to build the matrix B represented on Fig. [T] 
still based on the incidence matrix A. If an algorithm is able 
to solve any instance of SUBSPACE WEIGHT, we can use it 
with pai-ameters H = B and w = 3|rp + 4|T| to solve 
the instance of Three Dimensional Matching represented 
by matrix A. For instance, any null sum of w rows of B 
containing a lines among the \U\ top ones, will necessarily 
contain between 3q!|T| and 3a|T| + 3a lines in the bottom 
part (this is because each of the first \U\ lines has weight 
3|r| + 3, and 3|T| in positions which cannot overlap). Thus, 
any solution to SUBSPACE WEIGHT with w = 3|Tp + 4|r| 
must verify a = |r| and has a weig ht of exactly 3|Tp + 3|T| 
in the bottom part with the |r| rows of A not overlapping. It 
is also a solution to Three Dimensional Matching. 

II. Some New Problems 

A. Using Goppa Codes 

In the McEliece or Niederreiter cryptosystems, the matrix 
of a Goppa code is scrambled and used as the public key, 
the secret key is the scrambling matrices that allow to use 
the standard Goppa decoding algorithm. The security of these 
construction thus relies on the hardness of two problems: 
recovering the structure of the Goppa code by unscrambling 
the public matrix, and decoding as in a random code. However, 
this code is not completely random: even if the matrix is not 
distinguishable from a random binary matrix of the same size, 
the decoding problem that has to be solved uses parameters 
which are those of a Goppa code. This means that the code 
has a length n = 2™ and a dimension k = n — mt, where 
t is the correction capacity of the code. Decoding requires to 
solve an instance of SD (the COSET WEIGHT problem to be 
more precise) with w ~ t = ""'^ . This can be formulated as 

^ ' log2 " 

a new problem: 

Goppa Parameterized Syndrome Decoding (GPSD): 
Input: a binary matrix H of size 2™ x r and a syndrome S 
of size r. 

Property: there exists a word y of weight < — such that 
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Fig. 2. Matrix used to reduce THREE DIMENSIONAL MATCHING to GoPPA 
Parameterized Syndrome Decoding. 

This new problem is NP-complete and this can be proven 
by reduction to Three Dimensional Matching using the 
matrix presented in Fig. |2l The matrix A is simply padded 
with zeroes so as to get the proportions of a Goppa code 
correcting up to |r| errors, that is, n' and r' must verify |r| = 

3\T\+r' 
log,(n' + |C/|)- 

Suppose one has an algorithm able to solve any instance of 
GPSD and he feeds it the inputs H (defined as in Fig. |2]i and 
S ~ (1, . . . , 1, 0, . . . , 0) containing 3|r| ones followed by r' 
zeroes. The sum of |T| rows of H will have a weight < 3|T 
on the first 3|T| coordinates. The only way to have the equality 
is to select |T| rows among the \U\ top rows of H and in 
the bottom part. A solution to our instance of GPSD is thus a 
solution to the underlying Three Dimensional Matching 
problem. 

We have the required reduction, the last constraint being 
that this reduction must be polynomial. For this we can set 
^ 2nog^\u\] _ |[/| so that n' < \U\ and n' + \U\ is 
the smallest power of 2 larger than \U\. Then r' = |T| x 
([log2 \ U\~\ — 3). This means that the proposed reduction is 
valid and polynomial as long as \U\ > 8. The cases where 
|J7| < 8 can anyway be solved in polynomial time and are not 
an issue. We can thus affirm that the GoPPA PARAMETERIZED 
Syndrome Decoding problem is NP-complete. 

As in the original 1978 paper, we can now try to deal 
with the problem of low weight codewords: the SUBSPACE 
Weight problem. With the constraint induced by Goppa 
codes it can be formulated as: 

GoppA Parameterized Subspace Weight (GPSW): 
Input: a binary matrix Ti of size 2™ x r. 
Property: there exists a word y of weight 2— + 1 such that 
yU = 0. 

Note that here the constraint has been modified a little: a 
Goppa code correcting t errors has a minimal distance of 2t + 
1, thus the words of minimal weight have a weight 2;^ + 1. To 
prove that this problem is NP-complete, the first idea would be 
to simply combine the two constructions of Fig. [T]and Fig. |2] 
and pad matrix B with zeroes. This could work perfectly if the 
expansion from matrix A to matrix B was not so huge. Matrix 
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Fig. 3. More compact matrices used to reduce THREE DIMENSIONAL 
Matching to Subspace Weight. 



B has a width of 3|T|(|J7| + 1) and requires to find a word 
of weight 3|Tp + 4|T|, which when plugged into the Goppa 
constraint gives 3|r|2+4|r| = 2;^ + l,withr > 3\T\{\U\ + 1). 



Thus, m > 



6(|C/| + 1) 



and the height n = 2™ of matrix H is 
exponential in \U\: this reduction is not polynomial! 

We need to find another (more compact) construction for 
B. For this we distinguish two case: if |r| is even, use matrix 
Ci in Fig. [3] if |T| is odd, use matrix €2- Suppose one has 
an algorithm solving any instance of SUBSPACE WEIGHT and 
wants to use it to solve an instance of Three Dimensional 
Matching with |T| even. He builds matrix A and expands 
it into matrix Ci of Fig. [5] by adding a row and a column of 
ones and a zero in the corner Now Ci is input to the algorithm 
with w ~ |T| + 1. A solution is a sum of |r| + 1 rows 
summing to 0, thus, |T| being even (and \T\ + 1 odd), this 
means that if a is to appear in the last position, the bottom 
row has to be selected. The |T| remaining lines are taken in 
A and must then sum to a row of ones. A solution is thus 
a solution to the Three Dimensional Matching instance. 
Now if \T\ is odd, we simply add an element v to T and the 
vector {ly, v, v) to U and can fall back to the case where \T\ 
is even. This translates in terms of incidence matrix in the 
matrix C2 of Fig. [3] Whatever the parity of |r| we can thus 
solve any instance of Three Dimensional Matching with 
a Subspace Weight algorithm. We have a vaUd reduction. 

Now we can prove that GPSW is NP-complete by com- 
bining the constructions of Fig. |2] and Fig. [3] As for GPSD, 
we choose n' such that n is the smallest possible power of 
2 greater than |J7| + 1 (or |C/| + 2) and obtain a polynomial 
time reduction as long as \U\ > 64. The GPSW problem is 
NP-complete. 

B. The General Case 

The proof we used for the Goppa Code case can trivially 
be adapted to any other constraint, as long as the following 
conditions are verified: 

• the reduction must be polynomial: the dimensions n and 
r of H must be polynomials in |J7| and |r|, 

• parameters for which the reduction cannot apply must be 
bounded by a finite value: for example the case \U\ < 8. 

The general problems can be formulated as follows: 



Parameterized Syndrome Decoding (PSD): 

Input: two integers r and w, a binary matrix TC of size nxr 

with n — f{r,w), and a syndrome S of size r. 
Property: there exists y of weight < w such that yTC — S. 

Parameterized Subspace Weight (PSW): 

Input: two integers r and w, a binary matrix H of size nxr 

with n ~ f{r, w). 
Property: there exists y of weight w such that yH = 0. 

Intuitively, these two problems should be NP-complete for 
functions / such that /(3|r|, |r|) is polynomial in |T| (and 
/(3|T| + 1, \T\ + 1), /(3|T| + 2, \T\ + 2)). However, if we 
choose f{r,w) ~ 2w (that is, we are looking for words of 
weight half the length n), even though / is polynomial, it is 
clear that the proposed reduction fails to solve any instance 
of Three Dimensional Matching where \U\ > 2\T\: one 
must always have n > \U\. Being polynomial is not enough. 

Proposition 1: Let t = \T\ and u = \U\. If there exists a 
function g, two polynomials P and Q and an integer A such 
that for all i > A and all u > A, 3i < g{t, u) < P{t, u) and 
u < f {j}{i^u)^t) < Q{t,u), then, our reduction is valid and 
the PSD problem is NP-complete. 

Proof: The polynomials P and Q are here to ensure that 
our reduction is polynomial. The value A makes sure that the 
only values for which one of the two bounds is not met are 
upper bounded: asymptotically, the reduction fits all instances. 
Then, once the two bounds are respected, the reduction works. 

In the case of Goppa codes we had f{r,w) = 2^ and 
chose g{t, u) — t x \\0g2 u] and A = 8. This way, if w > A 
we have 3t < g{t,u) < tu and }{g{t,u),t) = 2^^°^^'^'^, so 
that u < f{g{t, u), t) < 2u. 

We can state a very similar (but far less easy to read) 
proposition for the PSW problem. 

Proposition 2: Let i = |r| and u = \U\. If there exists 
two functions g and g', two polynomials P and Q and an 
integer A such that for all even value of t > A and all u > A, 
3t+l < g{t,u) < P[t,u) andu+1 < f{g{t,u),t) < Q{t,u), 
and for all odd value of t > X and all u > A, 3t + 2 < 
g'(t, u) < P{t, u) and w + 2 < f{g'{t, u), t) < Q{t, u), then, 
our reduction is valid and the PSW problem is NP-complete. 

III. Conclusion 

In this article some new variants of the Syndrome Decoding 
problem, fitting the specific parameters of Goppa codes are 
proven to be NP-complete. For this a new, more compact, NP- 
completeness reduction for the SUBSPACE Weight problem 
is given. This proof should easily be generalized to other 
constraints for other classes of codes, as long as the constraint 
verifies some given properties. I leave it to other authors, with 
other specific constraints, to check wether or not the generic 
reduction I presented still works for them. 
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